AXSA:2019-4276:03

Release date: 
Thursday, September 12, 2019 - 09:50
Subject: 
ruby-2.0.0.648-36.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.

Security Fix(es):

* ruby: HTTP response splitting in WEBrick (CVE-2017-17742)

* ruby: DoS by large request in WEBrick (CVE-2018-8777)

* ruby: Buffer under-read in String#unpack (CVE-2018-8778)

* ruby: Unintentional directory traversal by poisoned NULL byte in Dir (CVE-2018-8780)

* ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives (CVE-2018-16396)

* rubygems: Path traversal when writing to a symlinked basedir outside of the root (CVE-2018-1000073)

* rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML (CVE-2018-1000074)

* rubygems: Improper verification of signatures in tarball allows to install mis-signed gem (CVE-2018-1000076)

* rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL (CVE-2018-1000077)

* rubygems: XSS vulnerability in homepage attribute when displayed via gem server (CVE-2018-1000078)

* rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations (CVE-2018-1000079)

* ruby: Unintentional file and directory creation with directory traversal in tempfile and tmpdir (CVE-2018-6914)

* ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket (CVE-2018-8779)

* rubygems: Infinite loop vulnerability due to negative size in tar header causes Denial of Service (CVE-2018-1000075)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 7.7 Release Notes linked from the References section.

CVE-2017-17742
Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
CVE-2018-1000073
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000074
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000075
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000076

CVE-2018-1000077
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000078
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-1000079
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.
CVE-2018-16396
An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.
CVE-2018-6914
Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument.
CVE-2018-8777
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).
CVE-2018-8778
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure.
CVE-2018-8779
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket.
CVE-2018-8780
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
1. ruby-2.0.0.648-36.el7.src.rpm
md5sum: e46813882dff2eebb6d6dda3ee0e32ed
sha256sum: 748daa6ce11f030a118107a4a5b23c48e8416c97526f227a4e0bf5e32352593d
Size: 10,490 Kb

Asianux Server 7.0 for x86_64
1. ruby-2.0.0.648-36.el7.x86_64.rpm
md5sum: 352a1ea3f55fc6864d804ee5c7060b00
sha256sum: a9b8eb5539cad7e5fff51112874a4b6a20d2019f4522e4c624571c0cff1d36a1
Size: 72 Kb
2. rubygem-bigdecimal-1.2.0-36.el7.x86_64.rpm
md5sum: c76a750c5bdcf6e6b1a935310c00c809
sha256sum: 6390b6b4f3ad21f164e323fa55bc2b0132f4354b758f5033f1aed7ff35996bc0
Size: 84 Kb
3. rubygem-io-console-0.4.2-36.el7.x86_64.rpm
md5sum: 0f9b2374fa117afc657af4c799572cb8
sha256sum: 02697b6a43e236f3c3e0253a64011c4c49d8ddcc835c587492efafed9f2322ce
Size: 55 Kb
4. rubygem-json-1.7.7-36.el7.x86_64.rpm
md5sum: c5e5d58767a61cfd113c555749414279
sha256sum: 5a5566f16c17a8eae838c3714b05ca2e412149644c69606ea547dc27f16a67a3
Size: 81 Kb
5. rubygem-psych-2.0.0-36.el7.x86_64.rpm
md5sum: 7378fa2c90d79369bcd2087ad8141d30
sha256sum: 1657a3a5c40b4f958b33aaa07462aca1f9f3eb766cc29054aef398bd3e99dbbc
Size: 83 Kb
6. rubygem-rdoc-4.0.0-36.el7.noarch.rpm
md5sum: 01caaf626d8e838b6c412f2e70dc8a15
sha256sum: e63b032b14a9f53078559283aa7096baf05e457139f170ab4b7c1cf14755219d
Size: 323 Kb
7. rubygems-2.0.14.1-36.el7.noarch.rpm
md5sum: 9d3ea3fba1f5d57c3ce1bc4d9931a1e3
sha256sum: f0ba97a347aa4c37c38e61e9dcb2903a2f018a8b74db0c7dd7cb6a322dc63b92
Size: 214 Kb
8. ruby-irb-2.0.0.648-36.el7.noarch.rpm
md5sum: deb5f4cc2021a06e67585acc10f1ddb2
sha256sum: 97b0fda2f344514fd0e33cf2e1187cc0a6bb81e89474cca9c66079c4c371606b
Size: 93 Kb
9. ruby-libs-2.0.0.648-36.el7.x86_64.rpm
md5sum: 730366c3a457a9b6c2242e6fbc405fd5
sha256sum: 2dc474b030c7d353228cf5ab1f7d1ec49051c184adb333d6c1424b89c2ee5b90
Size: 2,866 Kb
10. ruby-libs-2.0.0.648-36.el7.i686.rpm
md5sum: 3a3b540c2b3625440d0eb0fe60dcbf07
sha256sum: 60ce8a4bbf46c9df8b53a13a1eec83743c646cb0ea45b4e78b615ffe324ad700
Size: 2,900 Kb
Copyright© 2007-2015 Asianux. All rights reserved.